CVE-2026-37429: SQL Injection in qihang-wms
Platform
php
Component
qihang-wms
CVE-2026-37429 describes a SQL Injection vulnerability discovered in qihang-wms, specifically within the SysUserMapper.xml file's datascope parameter. Successful exploitation could allow attackers to extract sensitive data from the database, including Personally Identifiable Information (PII) belonging to users. The vulnerability was identified in commit 75c15a and published on May 13, 2026. A fix is pending.
Impact and Attack Scenarios
The primary impact of this SQL Injection vulnerability lies in the potential for unauthorized access to the qihang-wms database. An attacker could craft malicious SQL statements through the datascope parameter to bypass security controls and directly query the database. This could lead to the exfiltration of sensitive user data, including usernames, passwords, addresses, and other PII. Depending on the database schema and permissions, an attacker might even be able to modify or delete data, leading to data integrity issues and service disruption. The blast radius extends to any system relying on the compromised qihang-wms data, potentially impacting downstream applications and integrations.
Exploitation Context
The vulnerability was published on May 13, 2026, and its exploitation context is currently limited. It is not listed on KEV or EPSS. Public proof-of-concept (POC) code is not yet available, suggesting limited active exploitation at this time. The NVD and CISA have not yet published advisories related to this CVE.
Affected Software
Timeline
- Reserved
- Published
Mitigation and Workarounds
Due to the lack of a specified fixed version, immediate mitigation focuses on preventing exploitation. The most effective short-term solution is to implement strict input validation on the datascope parameter, ensuring that all user-supplied data is properly sanitized and escaped before being used in SQL queries. Web Application Firewalls (WAFs) configured with rules to detect and block SQL Injection attempts can provide an additional layer of defense. Consider using parameterized queries or prepared statements, which automatically handle escaping and prevent SQL Injection. Regularly review and update the qihang-wms codebase to address potential vulnerabilities. After patching (when available), thoroughly test the application to confirm the vulnerability is resolved and no new issues have been introduced.
How to fix
Actualice a una versión corregida de qihang-wms que solucione la vulnerabilidad de inyección SQL en el parámetro 'datascope' del archivo SysUserMapper.xml. Revise y sanee las entradas del usuario para prevenir ataques de inyección SQL.
Frequently asked questions
What is CVE-2026-37429 — SQL Injection in qihang-wms?
CVE-2026-37429 is a SQL Injection vulnerability in qihang-wms, allowing attackers to potentially access sensitive database information via the datascope parameter in the SysUserMapper.xml file. This could lead to data breaches and compromise user PII.
Am I affected by CVE-2026-37429 in qihang-wms?
If you are using qihang-wms and have not applied a patch or implemented mitigating controls, you may be vulnerable. The affected versions are currently unknown, so thorough assessment is recommended.
How do I fix CVE-2026-37429 in qihang-wms?
A specific fix is pending. Mitigation involves strict input validation on the datascope parameter, WAF rules, and parameterized queries. Monitor for updates from the qihang-wms vendor.
Is CVE-2026-37429 being actively exploited?
Currently, there is no public evidence of active exploitation. However, the vulnerability is newly published, and exploitation may occur in the future.
Where can I find the official qihang-wms advisory for CVE-2026-37429?
Check the official qihang-wms website and relevant security mailing lists for updates and advisories related to CVE-2026-37429. Monitor NVD and CISA for published information.
Is your project affected?
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Try it now — no account
Upload any manifest (composer.lock, package-lock.json, WordPress plugin list…) or paste your component list. You get a vulnerability report instantly. Uploading a file is just the start: with an account you get continuous monitoring, Slack/email alerts, multi-project and white-label reports.
Drag & drop your dependency file
composer.lock, package-lock.json, requirements.txt, Gemfile.lock, pubspec.lock, Dockerfile...